Sponsored Ads

The Web Security Mailing List

A False Positive is when you think you have a specific vulnerability in your program but in fact you
don't. Many security scanners such as Nessus scan an application (or service/daemon) and attempt to
find a vulnerability in it. Sometimes the signatures (the 'check logic') make mistakes and report a
vulnerability that may not exist. False positive are not limited to scanners they also affect
'Web Application Firewalls'
and 'NIDS's/IDS's/IPS's'. These monitoring products may report an attack attempt but sometimes
confuse the data it received with valid information. Every once in awhile you may run a scanner
that reports you as being vulnerable to a specific product (Like websphere) that you don't actually
run. Sometimes the same vulnerability exists in multiple products but when the 'check' was written
it was written with a specific application in mind and therefore the product and/or description for
the vulnerability may not be 100% accurate.

Unfortunately false positives will continute to exist but they can be limited by the skill of the
person writing the signatures or check logic. Before you go complaining to the vendor/author of the
product you're using saying 'you need to learn how to write checks better' remember that these checks
are carefully written and tested and you cannot always predict what everyone's custom environment will
look like. If you think you have a false positive carefully work with the author/vendor to try and
address the solution. Who knows maybe you *are in fact vulnerable*, or something else is vulnerable
to that particular 'security check' as outlined above.